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are  given.  Algorithms  to  find  the  min-cut-sets  and  related 
bounds,  together  with  various  means  for  computing  the  proba¬ 
bility  of  the  Top  Event  are  presented.  Measures  of  event 
importance  are  discussed.  Numerical  examples  are  presented 
to  illustrate  the  concepts. 
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INTRODUCTION  TO  FAULT  TREE  ANALYSIS 
by 

Richard  E.  Barlow  and  Purnendu  Chatterjee 


0.  INTRODUCTION  AND  SUMMARY 

This  is  a  semi-expository  introduction  to  the  mathematics  of  fault  tree 
analysis.  The  literature  on  fault  tree  analysis  is,  for  the  most  part, 
scattered  through  conference  proceedings  and  company  reports.  Therefore,  we 
feel  that  a  readable,  logical  introduction  to  the  subject  is  very  much  needed. 

A  discussion  of  fault  tree  construction  may  be  found  in  Lambert  (1973).  A 
description  of  fault  tree  concepts  and  techniques  can  also  be  found  in  Fussell 
(1973).  Vesely  (1970)  has  considered  fault  tree  analysis  from  the  point  of 
view  of  computer  implementation. 

Our  main  contribution  is  to  develop  a  mathematical  theory  of  fault  tree 
analysis  using  many  of  the  concepts  of  coherent  structure  theory  [Birnbaum, 

Esary  and  Saunders  (1961)]  and  to  show  how  dependent  events  may  be  analyzed. 

It  has  been  observed  by  reliability  theorists  that  many  of  the  quantities 
computed  by  fault  tree  analysts  can  also  be  computed  using  the  concepts  and 
techniques  of  reliability  theory.  While  this  is  true,  we  feel  that  the  tree 
structure  used  by  fault  tree  analysts  and  the  somewhat  different  problems  of 
interest  to  fault  tree  analysts,  warrant  a  separate  development. 

In  Section  1  we  present  some  examples  of  fault  trees  and  the  symbols  used. 

In  Section  2  we  describe  some  algorithms  due  to  J.  Fussell  (1973)  for  analyzing 
fault  trees.  Dual  fault  trees  and  their  uses  are  described  in  Section  3. 

Section  4  Is  a  lengthy  development  of  methods  for  probability  evaluation  of 
fault  trees.  New  results  on  computing  probabilities  for  trees  with  dependent 
events  are  presented.  Section  5  considers  measures  of  event  importance.  Many 
concepts  are  illustrated  using  the  pressure  tank  example  introduced  in  Section  1. 
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1.  FAULT  TREES 

To  construct  tault  trees  we  employ  the  following  useful  symbolism.  Com¬ 
ponent  states  or,  more  generally,  basic  events  will  be  represented  by  circles 
and  diamonds.  A  system  event  of  major  importance  will  be  represented  by  a 
rectangle 


called  the  Top  Event ,  appearing  at  the  top  of  the  fault  tree.  For  examp1  e,  this 
may  Indicate  a  particular  type  of  system  failure.  Intermediate  system  or  sub¬ 
system  events  will  also  be  represented  by  rectangles.  Immediately  below  each 
rectangle  will  be  either  an  AND  gate  represented  by 


Output 


Inputs 
AND  GATE 


or  an  OR  gate  represented  by 

Output 


Inputs 
OR  GATE 


The  output  event  to  an  AND  gate  occurs  if  and  only  if  all  input  events 
occur.  It  is  helpful  to  put  a  dot  (for  set  product  or  intersection)  in  the 
center  of  the  AND  gate.  For  example,  to  symbolize  that  if  each  of  the  events 
A  ,  B  ,  C  ,  and  D  occur,  then  the  event  E  will  occur,  the  fault  tree  analyst 


would  draw 


iviwv*-'  ,  n  M 


<r/t 
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FIGURE  1:  AND  GATE 

The  output  event  to  an  OR  gate  occurs  if  one  or  more  of  the  input  events 
occur.  It  is  helpful  to  put  a  plus  (for  set  sum  or  union)  in  the  cet.ter  of  the 
OR  gate.  For  example,  E  occurs  if  one  or  more  of  the  events  A  ,  B  ,  C  or  D 
occurs  in  Figure  2. 


FIGURE  2:  OR  GATE 

Repetition  of  basic  events  is  permitted  in  a  fault  tree. 

Example.  One-out-of-Two  Twice  System. 

Figure  3  symbolizes  a  system  whose  function  is  to  shut  down  a  nuclear  power 
plant  in  the  event  of  a  low  coolant  pressure.  The  2-out-of-2  coincidence  unit 
produces  a  trip  signal  provided  that  the  "OR"  unit  in  both  the  upper  and  lower 


*  *  Ttsn  ^ 
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branches  simultaneously  produces  an  output  signal.  Such  logic  is  called  one-out- 
of-two  twice.  Units  through  c^  are  pressure  switches.  The  I6*1  switch 
will  produce  an  output  signal  (we  call  this  basic  event  i)  if  the  pressure  p^ 

drops  below  a  prescribed  value,  i  -  1 . 4  .  A  fault  tree  for  thie  system 

with  Top  Event,  "Spt.iious  Trip  Signal  Produced,"  is  shown  i.  Figure  4. 
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Example.  Pressure  Tank  Staten. 

Consider  the  pressure  tank  engineering  diagram  in  Figure  5.  Let  the  ^op 
event  (which  we  wish  to  prevent)  be  the  rupture  of  the  pressure  tank.  To  start 
pumping,  the  switch  SI  (a  push  button)  is  closed  and  then  immediately  opened. 
This  allows  current  to  flow  in  the  control  branch  circuit  which  activates  relay 
coil  K2  .  Relay  contacts  K2  then  close  and  start  up  the  pump  motor.  After 
a  period  of  approximately  20  seconds,  the  pressure  switch  contacts  open  (since 
excess  pressure  is  detected  by  the  pressure  switch),  deactivating  the  control 
circuit  which  de-energizes  the  K2  coil.  The  K2  contacts  then  open  and  shut 
off  the  motor.  If  there  is  a  pressure  switch  malfunction,  then  the  timer  relay 
contacts  open  after  60  seconds,  de-energlzing  coil  K2  ,  and  shutting  off  the 
pump.  The  timer  resets  itself  automatically  after  each  cycle. 

The  fault  tree  drawn  in  Figure  6  is  based  on  an  analysis  of  the  possible 
failure  modes  of  the  system.  Circles  represent  primary  basic  events ,  while 
diamonds  represent  secondary  basic  events.  For  example,  if  the  K1  relay  con¬ 
tacts  (Figure  5)  fail  to  open  under  normal  operating  conditions  (i.e.,  within 
the  "design  envelope"),  this  is  considered  a  primary  basic  event.  If  the  K1 
relay  fails  to  open  because  the  wrong  relay  was  installed,  then  this  is  con¬ 
sidered  a  secondary  basic  event.  A  systematic  method  for  drawing  fault  trees 
has  been  developed  by  David  Haasl  (1965).  The  pressure  tank  example  is  due  to 
Haasl  [cf.  also  Lambert  (1973)]. 


FIGURE  5: 


PRESSURE  TANK  FAULT  TREE 


lawmen  g**.**^ «  -.**»  . .  --  ,.  .,  ^  .  .-., 
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Generally,  fault  trees  serve  three  purposes: 

1.  In  safety  analysis,  a  fault  tree  aids  In  determining  the  possible  causes 

of  an  accident.  When  properly  used,  the  fault  tree  often  leads  to  discovery 
of  failure  combinations  which  otherwise  might  not  have  been  recognized  as 
causes  of  the  event  being  analyzed. 

2.  The  fault  tree  serves  as  a  display  of  results.  If  the  system  design  is 
not  adequate,  the  fault  tree  can  be  used  to  show  what  the  weak  points  are 
and  how  they  lead  to  undesirable  events.  If  the  design  is  adequate,  the 
fault  tree  can  be  used  to  show  that  all  conceivable  causes  have  been  con¬ 
sidered. 

3.  The  fault  tree  provides  a  convenient  and  efficient  format  helpful  in  the 
computation  of  the  probability  of  system  failure. 
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2.  MINIMUM  CUT  SET  ALGORITHM 

A  out  set  Is  a  set  of  basic  events  whose  occurrence  causes  the  Top  Event 
to  occur.  A  cut  set  is  minimal  if  it  cannot  be  reduced  and  still  insure  the 
occurrence  of  the  top  event.  A  listing  of  minimal  cut  sets  (or  min  out  Bets) 
is  useful  for  design  purposes  in  older  to  determine  the  "weakest  links"  in  the 
system. 

For  a  fault  tree  with  perhaps  hundreds  of  gates  and  hundreds  of  basic 
events  it  is  clearly  not  easy,  nor  in  general  possible,  to  determine  all  min 
cut  sets  by  inspection.  An  algorithm  is  therefore  required  to  generate  all 
min  cut  sets.  The  algorithm  is  based  on  the  fact  that  an  AND  gate  always  in¬ 
creases  the  size  of  a  cut  set  while  an  OR  gate  always  increases  the  number  of 
cut  sets.  The  algorithm  obtains  cut  sets  such  that,  if  all  the  primary  events 
were  different,  the  cut  sets  so  generated  would  be  precisely  the  minimal  cut 
sets.  When  this  is  not  the  case,  the  cut  sets  generated  by  the  algorithm  are 
then  reduced  to  minimal  cut  sets.  This  algorithm  was  first  stated  by  J.  Fusaell 
and  W.  Vesely  (1972). 

The  simplest  and  clearest  way  to  explain  the  min  out  set  algorithm  is  to 
illustrate  its  operation  in  an  example.  Figure  7  is  a  relabelling  of  the  basic 
events  and  gates  in  the  pressure  tank  fault  tree  described  in  Figure  6.  AND 
and  OR  gates  are  labelled  G-  1  through  G-8.  The  algorithm  begins  with  the  gate 
immediatelv  below  the  top  event,  which  we  label  0-0.  If  G-0  is  an  OR  gate, 
each  input  is  used  as  an  entry  in  separate  rows  of  a  list  matrix.  If  G-0  is 
ai  AND  gate,  each  input  is  used  as  an  entry  in  the  first  row  of  a  list  matrix. 
Since  in  Figure  9,  the  gate  immediately  below  the  top  event  is  an  OR  gate  we 
begin  the  construction  of  our  list  matrix  by  listing  inputs  1  ,  G-l  ,  and  2 
in  separate  rows  as  follows- 

1 

G-l 


2 


Since  any  one  of  these  input  events  can  cause  the  top  event  to  occur,  each  will 
be  a  member  of  a  separate  cut  set. 

The  idea  of  the  algorithm  is  to  replace  each  gate  by  its  input  gates  and 
basic  events  until  a  list  matrix  is  constructed,  all  of  whose  entries  are  basic 
events.  The  rows  will  then  correspond  to  cut  sets. 

Since  G-l  is  an  OR  gate,  we  again  replace  G-l  by  its  input  events  in  separate 
rows  as  follows: 


Since  G-2  is  also  an  OR  gate,  we  replace  G-2  by  its  input  events  as  follows: 


Since  G-3  is  an  AND  gate,  we  replace  the  row  containing  G-3  by  its  inputs  as 
follows: 


G-4  ,  G  -  5 


1A 


Since  all  inputs  to  an  AND  gate  oust  occur  to  cause  the  corresponding  inter¬ 
mediate  event  above  the  AND  gate,  we  see  that  an  AND  gate  increases  the  length 
of  its  row.  An  OR  gate,  on  the  other  hand,  increases  the  number  of  rows  in 
our  list  matrix. 

Replacing  G-A  by  its  inputs,  we  have 

1 

A 

5 

G- 6  ,  G-5 
G-7  ,  G-5 
3 

2  . 


Continuing  in  this  fashion  we  eventually  obtain  a  list  matrix  with  29  rows. 
These  are  (in  a  different  order). 


1 

2 

3 

A 

5 

6  ,  9 
6  ,  10 
6  ,  11 
6  ,  12 
6  ,  13 
6  ,  1A 
6  ,  15 
6  ,  16 


7  ,  9 
7  ,  10 
7  ,  11 
7  ,  12 
7  ,  13 
7  ,  1A 
7  ,  15 
7  ,  16 


8  ,  9 
8  ,  10 
8  ,  11 
8  ,  12 
8  ,  13 
8  ,  1A 
8  ,  15 
8  ,  16 
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In  the  pressure  tank  fault  tree  (Figure  7),  basic  events  are  not  repeated. 
For  this  reason  all  of  our  cut  sets  are  minimal  cut  sets;  i.e.,  no  one  cut  set 
is  contained  in  any  other  cut  set.  More  generally,  with  replication  of  basic 
events  in  the  event  tree,  we  will  not  obtain  only  min  cut  sets  by  this  algorithm. 
Therefore  it  will  be  necessary,  in  general,  to  reduce  the  list,  eliminating  cut 
sets  which  contain  other  cut  sets.  The  resulting  list  will  then  contain  all  min 
cut  sets  for  the  fault  tree. 

The  cut  sets  obtained  by  the  above  algorithm  are  called  Boolean  Indicated 
Out  Seta  (or  BICS)  since  they  will  not,  in  general,  be  minimal.  It  is  a  simple 
matter  to  determine  the  number  and  maximum  size  of  BICS  for  a  fault  tree.  For 
large  fault  trees  this  should  be  done  before  applying  the  min  cut  algorithm  in 
order  to  dimension  the  list  matrix. 


An  Algorithm  for  Determining  the  Number  of  BICS 


The  number  of  BICS  is  an  upper  bound  to  the  number  of  minimal  cut  sets. 

It  is,  perhaps,  easiest  to  explain  the  algorithm  by  an  example.  We  consider 
the  pressure  tank  fault  tree  in  Figure  7  once  again.  First,  assign  weight  1 
to  each  of  the  16  basic  events.  Next,  assign  weights  to  each  gate  starting 
from  the  bottom  until  we  reach  the  top.  The  weight  assigned  to  the  Top  Event 
will  be  the  number  of  BICS.  To  an  OR  gate  we  assign  a  weight  correspond  to 
the  sum  of  the  weights  of  events  input  to  the  OR  gate;  thus,  gates  G5,  G6 
and  G8  are  each  assigned  weight  3  .  Gate  G7  is  assigned  weight  5  since 
input  events  12  and  13  each  have  weight  1  .  Gate  G4  is  assigned  weight  8  . 

To  an  AND  gate  we  assign  a  weight  corresponding  to  the  product  of  the  weights 
of  the  input  events.  Hence,  gate  G3  is  assigned  weight  24  .  Gate  G2  is 
assigned  weight  26  while  gate  G1  is  assigned  weight  27  .  The  Top  Event  is 
assigned  weight  29  .  This  is  precisely  the  number  of  BICS  founu  by  the  min  cut 
algorithm.  [See  Fussell  (1973).] 


An  Algorithm  for  Determining  the  Maximum  Number  of  Basic  Events  in  any  BICS 


As  in  the  previous  algorithm,  we  begin  by  assigning  weight  1  to  all 
basic  events.  However,  we  employ  a  different  method  of  assigning  weights  to 
gates.  Again,  consider  the  pressure  tank  exunple  in  Figure  7.  To  an  OR  gate 
we  assign  a  weight  corresponding  to  the  maximum  of  the  weights  of  input  events. 
Thus,  gates  G5  ,  G6  and  G8  are  assigned  weight  1  «  Likewise,  gates  G7 
and  G4  are  assigned  weights  1  . 

To  an  AND  gate  we  now  assign  the  sum  of  weights  corresponding  to  input 
events.  Thus,  gate  G3  has  weight  2  .  Likewise,  gates  G2  ,  G1  and,  finally, 
the  Top  Event  have  weight  2  .  Recall  that  the  maximum  length  of  BICS  obtained 
by  our  min  cut  algorithm  for  the  pressure  tank  examples  was  also  2  .  In  gen¬ 
eral,  this  algorithm  will  only  obtain  an  upper  bound  on  the  maximum  size  of  min 
cut  sets.  [See  Fussell  (1973).] 

See  Chatter jee  (1973)  for  a  rigorous  presentation  and  proofs  of  the  pre¬ 


ceding  algorithms. 
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3.  DUAL  FAULT  TREES 

If  the  Top  Event  occurs  we  have  system  failure.  This  is  of  great  interest 
from  a  safety  point  of  view.  However,  from  a  reliability  point  of  view,  we  are 
alBo  interested  in  the  nonoccurrence  of  the  Top  Event.  To  draw  the  dual  fault 
tree,  replace  OR  gates  by  AND  gates  and  AND  gates  by  OR  gates  in  the  original 
fault  tree.  Events  are  also  replaced  by  their  corresponding  dual.  If  the  Top 
Event  is  "pressure  tank  rupture"  as  in  Figure  6,  the  dual  event  is  "no  pressure 
tank  rupture."  More  generally,  dual  basic  events  correspond  to  the  nonoccurrence 
of  the  original  basic  events.  The  dual  fault  tree  for  the  pressure  tank  example 
is  drawn  in  Figure  8. 

The  min  cut  aete  for  the  dual  fault  tree  are  the  min  path  8etB  for  the 
original  fault  tree.  A  path  set  is  a  set  of  basic  events  whose  nonoccurrence 
insures  the  nonoccurrence  of  the  Top  Event.  A  path  set  is  minimal  if  it  cannot 
be  further  reduced  and  still  remain  a  path  set.  To  find  min  path  sets  for  a 
fault  tree,  draw  the  dual  fault  tree  and  use  the  min  cut  algorithm  to  find  the 
minimal  cuts  for  the  dual  fault  tree.  The  min  cut  sets  for  the  dual  fault  tree 
in  Figure  8,  are  the  min  path  sets  for  the  original  pressure  tank  fault  tree  of 
Figure  7.  They  are 

{1\ 2\  3',  4\  5',  6',  V,  8'} 

{1'  ,2'  ,3*  ,5'  ,9'  ,10'  ,11'  ,12'  ,13'  ,W  ,15M6' )  . 

(We  use  primes  to  indicate  dual  events.)  If  all  basic  events  in  either  of  these 
min  path  sets  do  not  occur,  the  Top  Event  in  Figure  7  does  not  occur,  i.e.,  the 
pressure  tank  does  not  rupture.  Since  there  are  only  2  min  path  sets  as  con¬ 
trasted  to  29  min  cut  sets,  it  will  be  easier  to  compute  probabilities  later 
using  the  min  path  sets. 


■  *****  <**•&&&& 
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Example.  The  One-ooi. -f'f-Two  Twice  System. 


The  one-out-of-two  twice  system  fault  tree  is  presented  in  Figure  4.  The 
min  cut  sets  are  {1,3}  ,  {1,4}  ,  {2,3}  ,  and  {2,4}  .  If  the  coolant  pressure 
is  not  low,  the  occurrence  of  any  one  of  the  four  min  cut  set  events  would  pro¬ 
duce  a  spurious  alarm. 

The  dual  of  the  fault  tree  is  presented  in  Figure  9.  This  fault  tree  has 
two  min  cuts  {l',2'}  and  {3 ',4'}  .  These  are  min  paths  for  the  original 
fault  tree.  There  are  thus  only  two  min  path  sets  in  the  original  event  tree 
which  could  cause  the  failure  of  a  trip  signal  when  low  coolant  pressure  is 
actually  present. 

From  this  analysis  (which  neglects  event  probabilities)  we  see  that  the 
system  has  been  designed  to  ensure  valid  alarms  when  low  coolant  pressure  is 
present.  However,  it  would  appear  prone  to  the  production  of  false  alarms 
since  there  are  four  min  cut  sets,  any  one  of  whose  occurrence  could  cause  a 
false  alarm.  A  two-out-of-three  system,  for  example,  would  be  less  prone  to 
false  alarms. 


Relay  Circuits 


Yet  another  application  of  the  dual  fault  tree  concept  is  to  relay  circuits. 
Suppose  like  relays  are  subject  to  two  kinds  of  failure:  failure  to  close  and 
failure  to  open.  Similarly  circuits  constructed  from  these  relays  are  subject 
to  two  kinds  of  failure:  failure  to  close;  i.e.,  no  closed  path  is  achieved 
from  input  wire  to  output  wire  when  the  circuit  is  commanded  to  close,  and 
failure  to  open;  i.e.,  a  closed  path  exists  from  input  wire  to  output  wire 
even  though  the  circuit  is  commanded  to  open. 

If  we  construct  a  fault  tree  for  such  a  circuit  with  Top  Event-"Failure 
to  Close",  then  the  dual  fault  tree  would  have  the  dual  Top  Event-"Failure  to 
Open".  Thus,  having  constructed  a  fault  tree  for  one  kind  of  failure,  the  dual 
tree  can  be  used  to  solve  the  second  kind  of  failure. 


TO? 

EVENT 


omr<  'ffv 
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FIGURE  9:  DUAL  OF  ONE-OUT-OF-TWO  TWICE  SYSTEM  FAULT  TREE 
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4.  PROBABILITY  EVALUATION  OF  FAULT  TREES 

A  major  goal  of  fault  tree  analysis  is  to  calculate  the  probability  of 
occurrence  of  the  Top  Event.  However,  it  may  also  be  useful  to  calculate  the 
Importance  of  min  cut  sets  to  the  Top  Event  or  the  importance  of  specified 
basic  events  to  the  Top  Event.  We  first  review  the  most  commonly  used  methods 
for  calculating  the  probability  of  occurrence  of  the  Top  Event  and  then  present 
new  results  for  the  case  of  dependent  events.  To  make  these  calculations  it  is 
useful  to  introduce  a  Boolean  representation  for  fault  trees  similar  to  that 
used  for  coherent  structures  [Birnbaum,  Esary  and  Saunders  (1961)]. 

Let 

(  1  if  basic  event  i  occurs 

Yi  “ 

I  0  otherwise  . 


Let  Y  “  (Yj^Yj,  ....  Yn)  be  the  vector  of  basic  event  outcomes.  Define 

II  if  the  Top  Event  occurs 
0  otherwise  . 

ip  is  the  Boolean  indicator  function  for  the  Top  Event.  We  assume  henceforth 
that  each  basic  event  occurs  in  the  union  of  all  min  cut  seta;  i.e.  all  basic 
events  are  relevant  to  the  Top  Event. 

The  Boolean  Indicator  function  can  be  determined  from  either  the  min  cut 
sets  or  the  min  path  sets.  It  will  be  convenient  to  introduce  the  notation 

m  ,  -  m 

U  Y  dr  1  -  JI  (1  -  Y  )  . 
i-1  i“l 


Min  Cut  Representation. 

Let  . ..,  be  the  min  cut  sets  of  basic  events  for  a  specified 

fault  tree.  Then 


<|t(Y)  -  u  n  Y 

s-l  ieK 


is  the  so-called  min  cut  representation  for 


Min  Path  Representation. 


Let  p1*p2»  •••»  Pp  be  the  nin  path  8eta  of  basic  event8  for  a  specified 
fault  tree.  Then 


<KD  -  n  U  Y  , 

r-1  ieP 


is  the  so-called  min  path  representation  for  . 

It  is  visibly  obvious  from  either  the  min  cut  or  the  min  path  representation 
that  is  coordinatewise  nondecreasing. 


Example.  Pressure  Tank  System. 


Let  Y  -  (Y^ , Y2 ,  ....  Y^g)  be  the  random  vector  for  basic  event  outcomes 
in  the  pressure  tank  event  tree  in  Figure  7.  Let  iKY)  -  1  if  the  top  event 
occurs  for  outcome  vector  Y  ;  i.e.,  the  pressure  tank  ’-uptures,  and  t|>(Y)  "  0 
otherwise.  Then  using  the  min  path  sets  {1,2, 3, 4,5, 6, 7,8}  and  (1,2, 3, A, 5, 9, 
10,11,12,13,14,15,16}  and  the  min  path  representation,  we  see  that 


/  li  y\/  11  y\ 
yl<i<8  XJ  ,7,8  XJ 

|i  -  n  (l  -  y  )||  l  -  n  (l  -  y.)1 
L  i-l  JL  ^6,7,8  J 


Since  there  are  29  min  cuts  for  this  example,  the  min  path  representation  is 
easier  to  work  with. 

To  calculate  the  probability  of  the  Top  Event  which  in  this  case  is  pressure 


tank  rupture,  let 


...  -.Mr—. - ^a-W"*"®**** 
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P[Yt  -  1]  -  CT1  -  q4 

be  che  probability  chat  basic  event  i  occurs  where  E  stands  for  expectation. 
For  the  moment,  assume  all  basic  events  are  statistically  independent.  Then 


P [Top  Event]  -  EiHY) 


8  16 
(4.0)  -  1  -  n  (1  -  q.)  -  n  (1  -  q  )  +  n  (1  -  q  )  . 

i-1  1  11*6,7,3  i-1 


Assume  that  basic  event  1  (i.e.,  the  pressure  tank  itself  fails)  occurs  on 

8  -8 
the  average  once  in  10  loading  cycles  or  in  other  words,  q^  ■  10  .  Assume 

basic  event  i  (i  i*  1)  occurs  on  the  average  once  in  lO’’  loading  cycles  or, 

in  other  words,  q^  -  10  ^  for  i  i*  1  .  Then 

7  12 

EiKY)  »  1  -  (1  -  10_8)(1  -  10-5)  -  (1  -  10"8)(1  -  10-5) 

-8  -5  15 

+  (1  -  10  )(1  -  10  *) 


Hence 


EiKY)  ~  4  x  10 


Boolean  Reduction. 

In  principle  we  can  always  compute  the  exact  probability  of  the  top  event 
by  reducing  the  Boolean  expression,  <KY)  >  for  the  fault  tree.  We  do  this 
using  the  fact  that  for  Boolean  variables 

2 

Y  -  Y 
i  i  ’ 

In  general,  once  we  get  rid  of  powers  of  the  indicator  variables  we  can 
obtain  the  probability  of  the  tor  event  by  merely  substituting  in  probabilities 


for  indicator  variables. 

If  there  are  no  replications  among  min  cut  sets  and  basic  events  are 


cut  sets.  Hence 


m 


W2BB 


n  ifU  ii  itfeiieeVllrtsttf  iia'iiHH 


P[TOP  EVENT]  -  P 


[A  EJ 


l  *k 

1<i1<i2<...<1i<k  [  1 


n  e  n  ...he 

2  i 


By  the  inclusion-exclusion  principle 


P[TOP  EVENT]  -  l  C-l)r“1S 
r-1 


P[TOP  EVENT]  <  S.  -  l  n  q 
8-1  1eKs 


P[TOP  EVENT]  >  Sj  -  S2 
P[TOP  EVENT]  <  Sj^  -  S2  +  S3 


The  successive  upper  and  lower  bounds,  however,  do  not  necessarily  converge  in 
a  monotone  fashion. 


Dependent  E vents. 

If  occurrences  of  basic  events  are  not  statistically  independent,  then  the 
previous  methods,  based  on  assumed  Independence  of  basic  events,  are  no  longer 
valid.  If  we  know  that  basic  events  are  positively  dependent  (the  technical 
term  we  shall  use  1b  aeeooiated)  then  we  can  obtain  useful  bounds  on  the  proba¬ 
bility  of  the  Top  Event.  First,  however,  we  need  to  introduce  another  Boolean 
representation  for  fault  trees. 


rp*M!ip.!!p 


f.  wfHPrmrvt-'W" 
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The  Min-Max  Representation. 


Let  KltK2>  ....  be  the  k  min  cut  sets  for  a  fault  tree.  Then  we 
can  easily  verify  that 


(4.6)  iHY)  ■  max  min  Y.  . 

l<s<k  leK 
-  s 

For,  If  all  basic  events  In  min  cut  set,  say  K.  ,  occur,  then  min  Y.  ■  1 

3  leKj 

and  ifi(Y)  -  1  ,  l.e.  the  Top  Event  occurs.  Likewise,  if  mJn  Y.  -  0  for  all 

ieKj 

1  £  s  £  k  ,  then  ifi(Y)  »  0  and  the  Top  Event  does  not  occur. 

Sometimes  It  is  easier  to  develop  the  fault  tree  structure  function  using 

the  dual  representation  based  on  min  paths.  Let  P^,P2 . ^p  the  min 

path  sets  for  as  specified  fault  tree.  Then 


iKY)  “  min  max  Y,  . 
l<r<p  iePr 

If  max  Y,  -  1  for  1  <r<  p  ,  then  a  basic  event  occurs  in  each  min  path, 
iePr 

i.e.,  the  Top  Event  occurs  so  that  i(i(Y)  -  1  .  If  max  Y.  -  0  for  some  r  , 

ieP 

r 

then  there  is  a  min  path  set  whose  basic  events  do  not  occur  so  that  the  Top 
Event  does  not  occur,  i.e.  <|i(Y)  ■  0  . 

Bounds  on  the  Probability  of  the  Top  Event. 

We  now  assume  that  events  are  associated: 


Definition: 

[Esary,  Proschan  and  Walkup  (1967)].  Random  variables  T..,T,,,  ....  T  are 

i  4  n 

associated  if 


Cov  [r(T),A(T)]  >_  0 


for  all  binary,  increaalng  functions  r  and  A  . 

In  a  great  many  reliability  situations,  the  random  variables  of  interest 
are  not  independent,  but  rather  are  "associated".  As  examples,  consider 

(a)  indicator  functions  of  min  cut  sets  which  have  basic  events  in  coimnon; 

(b)  components  subjected  to  a  common  environment; 

(c)  structures  in  which  components  share  the  load,  so  that  failure  of  one 
component  results  in  increased  load  on  each  of  the  remaining  components. 

In  case  (a),  if  the  basic  events  are  independent,  the  min  cut  Indicator 
functions  are  associated  and  not  independent.  Examples  (b)  and  (c)  are  physical 
situations  which  could  lead  to  associated  Indicator  random  variables. 

Theorem  4.1: 

If  indicator  random  variables  Y, , Y . Y  are  associated,  then 

l  I  n 

(4.5)  max  n  q,  £  P[Top  Event]  <  min  il  q.  . 

l<s<k  ieKs  ~  l<r<p  iEPr 

Note  that,  in  contrast  to  (4.3),  the  lower  bound  depends  on  min  cut  sets. 

Proof : 

The  following  always  holds 

min  Y  <  ^(Y)  _<  max  Y. 

ieK  ieP  ' 

s  r 

for  all  r  (1  £  r  <_  p)  and  s  (1  ±  s  <  k)  .  It  follows  that 

max  P[  min  Y.  •  1]  £  P[i)/(Y)  -  1]  £  min  P[  max  Y.  -  1] 

l<s<k  ieK  l<r<p  ieP  1 

is  always  true. 

Since  Y,,Y0,  ...,  Y  are  associated 
i  £.  n 


•^w***^**  Saw*/**.  W:  *** *,*».  „,.*,. 
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(4.6)  E  n  Y  >  n  q 

ieK  ieK 

s  ■ 

and 


(4.7) 


E  u  Y.  <  H 
iEP  ieP_ 


[Esary,  Marshall  and  Proschan  (1967)].  (4.5) 


min  Y.  -  n  Y 

IeK  IeK 

8  8 


qi 

follows  from  the  observation  that 

i 


and 


max  Y  -  U  Y.  .  | 

ieP  ieP 

r  r 

If  basic  events  are  statistically  independent  and  the  q^’s  are  small, 
the  upper  bound  in  (4.3)  will  very  likely  be  the  better  bound.  However,  for 
large  values  of  the  q^'s  ,  (4.5)  may  provide  the  better  bound.  To  illustrate 
this,  consider  a  fault  tree  with  min  cut  sets 

Kj  -  {1,2}  ,  K2  -  (1,3)  ,  K3  -  {1,4}  ,  K4  -  {2,3}  ,  K$  -  {2,4}  ,  -  {3,4}  . 

For  simplicity  suppose  q^  *•  q2  ■  q^  "  q^  "  q  .  The  upper  bound  in  (4.3)  Is 

2  6  3 

1  -  [1  -  q  ]  while  the  upper  bound  in  (4.5)  is  1  -  (1  -  q)  .  The  min-max 

upper  bound  is  smaller  than  the  min  cut  upper  bound  when  q  >_  .62  . 

Example:  The  Pressure  Tank. 

—8  —5 

Assume  q^  -  10  and  q2  ■  q3  “  •••  "  q^g  “  10  •  Then 

Pl<HY)  -  1]  £  min  u  q,  *■  7  *  10-5  . 
l<r<2  iePr 


On  the  other  hand 
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P[i|i(Y)  ■  1]  >_  max  II  q,  ~  10 

l<a<29  IeK 

-  s 


Hence,  assuming  only  that  basic  events  are  associated,  we  have 

10-5  <  P[Top  Event]  <7*  10-5  . 


Modules . 

A  module  of  a  fault  tree  Is  a  set  of  basic  events  M  ,  together  with  an 
indicator  function  •  such  that 

<HD  ■ 

where  r  is  nondecreasing  and  means  the  coordinates  of  Y  are  restricted 
to  M  ,  Modules  were  described  for  coherent  structures  by  Birnbaum  and  Esary 
(1965).  Decomposing  a  tree  in  terms  of  modules  can  be  useful  in  reducing  the 
computation  required  for  probabilistic  evaluation  of  fault  trees.  Suppose  we 
can  find  a  modular  decomposition  {(M^,x^),  . ..,  (Mr»Xr)J  such  that 
X^Of),  ...,  (Y)  are  statistically  independent,  although  Y^  for  i  e  Mb 

(1  <_  s  r)  may  be  associated.  Then 

r[*(I>  -  1]  -  gptPlXj^d)  -  1] . P[xr(Y)  -  1]] 

(4.8)  {-  ] 

1  erp1(a> . “xr(s>J 

where  u  (q)  is  the  min-max  upper  bound,  (4.5),  for  module  M  and  g_  is 
Xs 

the  expected  value  of  T[x^,  . ..,  Xrl  •  (4.8)  follows  from  the  monotonicity 

of  gr  .  In  applications,  it  may  be  useful  to  decompose  the  tree  into  statis¬ 
tically  independent  modules  and  apply  (4.8)  rather  than  to  apply  (4.5)  directly 
since  (4.5)  will  be  more  conservative. 


kkSiUa. 
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Time  to  Occurrence  of  the  Top  Event. 

First,  we  suppose  that  once  a  basic  event  occurs,  it  cannot  be  rectified. 
Suppose  basic  event  i  occurs  at  time  and  the  Top  Event  occurs  at  time  T  . 

Let 


11  if  T.  <  t 
0  otherwise. 

Then  P[Top  Event  occurs  by  time  t] 

-  EiHX(t)] 

where  Y(t)  ■  (Y,  (t),  Y  (t))  ,  since  i|i  is  nondecreasing.  If 

—  in 

P[T^  <_  t]  ■  F^(t)  then  we  can  compute  Eiji[Y(t)]  by  using  the  previous  algorithms 
with  replaced  by  F^t)  .  In  particular,  (4.5)  becomes 

max  II  F  (t)  £  Ei(j[Y(t)]  £  min  u  F  (t)  . 
l<s<k  ieKa  l<r<p  iePr 

Mean  Time  to  Occurrence  of  the  Top  Event. 

To  calculate  the  mean  time  to  occurrence  of  the  Top  Event  we  need  the  dis¬ 
tribution  of  time  to  occurrence  of  the  Top  Event.  Since  this  is  often  difficult 
or  impossible  to  compute,  we  obtain  a  useful  lower  bound  on  the  mean. 

First,  we  observe  that 


(4.9) 


T  «  min  max  T. 

l<s<k  ieK 
-  s 


and  also 


(4.10)  T  «  max  min  T.  . 

l<r<p  iePr 

To  see  (4.9)  note  that  the  Top  Event  occurs  as  soon  as  the  first  min  cut 
event  occurs.  A  specified  mir.  cut  can  only  cause  the  Top  Event  after  the  last 
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event  time-  in  the  min  cut  set. 

To  see  (4.10)  note  that  the  Top  Event  occurs  after  the  last  min  path  fails. 
A  min  path  set  fails  as  soon  as  any  event  in  the  set  occurs. 

To  obtain  the  mean  time  to  occurrence  of  the  Top  Event,  ET  ,  one  might 
think  of  substituting  mean  occurrence  times  in  (4.9)  or  (4.10).  This  will  not 
give  the  expected  time  to  occurrence  of  the  Top  Event. 


Theorem  4.2: 

If  times  to  occurrence  of  basic  events  are  associated  and 
is  nondecreasing  in  t  >  0  for  i  -  1,2,  ....  n  ,  then 


-log  F1(t) 


(4.11) 


max 

l£*<p 


X  f  l  vT1]  <  ET  <  rain  f  II  G 

IP  LlePr  J  {  1cK8 


(t)dt 


~t/v. 


where  ■  I  tdF^t)  and  G^(t)  »  e 


for  i  -  1,2 . n  .  (If  F. 


has  nondecreasing  occurrence  rate,  dFi(t)/Fi(t)  ,  then 
decreasing  for  t  >  0  . ) 


-log  F^t) 


is  non- 


Proof : 


Using  (4.9)  and  (4.10)  we  see  that 


E  min  T.  <_  ET  <  E  max  T. 

ieP  ieK  1 

r  s 


holds  for  1  £  r  £  p  and  1  £.  s  <_  k  .  Hence 


(4.12) 


max  E  min  T  £  ET  <_  min  E  max  T. 

l<r<p  ieP  l<s<k  ieK  1 

-  r  -  s 


To  show  the  upper  bound,  observe  that 


P[  max  T  >  t]  •  P[  U  [1  -  Y  (t)  ]  -  1] 

ieK  1  ieK 

s  s 


<  U  P[Y.(t)  -  0] 
ieK 


InXMUO,!*,  •*.■1*.'.  .w,,, 


■ . -  . — .  JaL., 


by  association  [Esary,  Proschan  and  Walkup  (1967)].  Also 


E  mas  T  ■  I  P[max  T.  >  t]dt 

ieK  1  i  ieK 
S  T)  8 


I . 


U  P[Y  (t)  -  0]dt  <  I  U  G  (t)dt 

ieKs  4  ieKs 


-log  F±(t) 


since  F^t)  -  P[Yi(t)  ■  1]  ,  i  -  1,2,  ....  n  have  the  property  that  - - - 

is  nondecreasing,  i.e.  F  is  IFRA  for  increasing  failure  rates  on  the  average. 
[Marshall  and  Proschan  (1970)].  The  upper  bound  follows  by  substituting  in  (4.12). 
To  show  the  lower  bound,  observe  that 


P[  min  T,  >  t]  -  P[  n  (1  -  Y  (t))  -  1] 

ieP  ieP 

r  r 


>  H  P[Y  (t)  -  0] 
ieP 

r 


by  association  [Esary,  Proschan  and  Walkup].  Also 


i  1,  ■  P[  min  T  >  t]dt 

4,  ieP 

r  iJ  r 

>.  I  n  P[Y  (t)  -  0]dt  >_  I  n  G  (t)dt 
J0iEPr  4lePr 


again  using  the  IFFA  property  of  F  (i  -  1,2,  ...,  n) .  The  lower  bound  follows 


by  substituting  in  (4.12). || 


Example.  The  Pressure  Tank. 

8  5 

Suppose  ET^  -  10  cycles  and  ETj  -  10  cycles  for  i  >  1  .  Then,  using 
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5.  MEASURES  OF  EVENT  IMPORTANCE 

The  next  step  after  obtaining  the  fault  tree  minimal  cuts  is  to  determine 
the  relative  importance  of  basic  events  to  the  occurrence  of  the  Top  Event. 

From  the  list  of  min  cuts  for  the  pressure  tank  example,  it  is  intuitively 
clear  that  basic  events  1  ,  2  ,  3  ,  4  and  5  are  the  most  important  since 
each  is  a  one  component  min  cut.  However,  the  relative  importance  of  the 
remaining  basic  events  is  less  clear. 

Suppose  the  Top  Event  occurs  and  we  perform  an  autopsy  to  determine  the 
cause.  In  practice  we  may  find  that  several  min  cuts  have  occurred.  However, 
if  we  think  of  events  occurring  sequentially  in  time  and  suppose  two  or  more 
events  cannot  occur  precisely  at  the  same  instant,  then  there  must  have  been 
one  event  which  "caused"  the  Top  Event . 

In  order  to  compute  the  probability  that  basic  event  1  causes  the  Top 
Event,  let  F^t)  be  the  probability  that  basic  event  i  (i  “  1,2,  ...,  n) 
occurs  before  time  t  .  We  also  assume  F^  continuous.  Let  p^,  ■  1  -  and 

h(£)  -  1  -  Eiji (Y) 

be  the  probability  that  the  Top  Event  does  not  occur  where  p  -  (p,  ,p„,  ...,  p  ) 

lz  n 

If  all  basic  events  have  the  s  me  occurrence  distribution  (or  have  approximately 
equal  occurrence  rates)  then  it  is  shown  in  Barlow  and  Proschan  (1973)  that 

(5.1)  [h(l1>P)  -  h(Oitp)]dp 

is  the  probability  that  basic  event  i  causes  the  Top  Event,  where 
h(l^,p)  "  h(p,  ....  p.l^.Pi  ...,  p) 

and 


P)  • 


"  h(p,  .... 


P.Oi,p . 
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8  16 

h(£)  -  n  p.  +  n  p  -  n  p  . 

1-1  1  1*6, 7, 8  1  1-1  1 


For  1  *■»  1  , 

.  v  7  12  15 

h(l1,p)  -  p  +  p  -  p 

and 


MO^p)  -  0  . 

Hence 

|"  [h(li>P)  -  h(01,p)]dp  -  .13942  . 

Assuming  all  events  have  equal  occurrence  rates,  the  likelihood  that  the 
pressure  tank  causes  the  Top  Event  Is  approximately  .14  . 

More  generally,  let  be  the  event  that  basic  event  1  causes  the  Top 

Event ,  Then 


P[EX]  -  ...  -  P[E51  -  .13942 
P[E6]  -  P[E?]  -  P (Eg J  -  -0625 
P[E9]  -  ...  -  P[Elfi]  -  .01442  . 

Note  that  the  probabilities  sum  to  one  as  they  should,  since  when  the  Top  Event 
occurs.  It  must  have  been  caused  by  one  of  events  1  through  16. 

Events  1  through  5  will  cause  70%  of  the  failures  in  this  case.  Note  that 
It  was  unnecessary  to  know  the  common  occurrence  rate. 


AC 
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Proportional  Occurrence  Rates . 

We  say  that  event  occurrence  distributions,  ,  have  proportional  occur¬ 
rence  rates  if 


Ft(t)  -  [  F  (t)] 

where  A  >  0  ,  i  -  1,2,  ....  n  •  It  is  only  necessary  to  specify  the  A^s 
to  compute  the  probability  that  basic  event  i  causes  the  Top  Event.  The 
computing  formula  is 


(5.2) 


|[h(i1.pi)-h(o1./)]V1  dp 


where 


and 


Xi-1  n  Xi+1 
P  ,0»P  . 


(5.2)  is  proved  in  Barlow  and  Proschan  (1973). 


Example.  The  Pressure  Tank,  (unequal  occurrence  rates) 

_g 

Assuming  basic  event  1  has  occurrence  rate  10  per  cycle  while  all  other 
events  have  occurrence  rate  10  ^  per  cycle,  we  wish  to  calculate  the  probability 

-3 

of  basic  event  i  causing  the  Top  Event.  In  this  case  A^  «  10  A^  for  i  >  1  . 
For  convenience,  let  A^  »  .001  and  A^  -  1  for  i  >  1  .  (Actually  occurrence 
rates  could  be  time  dependent  so  long  as  the  proportions  are  as  assumed.)  Using 

(5.2)  we  calculate 


PfEj^]  -  .0001595 


P[E2]  -  P[E3]  -  P[E4]  -  P[E5]  -  .1595 
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PtEg]  -  P[E?]  -  P[Eg]  -  .07617 
P[E91  -  ...  -  P[El6 J  -  .016664 

The  Importance  of  events  2  through  8  have  Increased  by  about  IX  over  the 
previous  example  while  event  1  is  now  negligible. 

The  importance  of  min  cut  sets  is  discussed  in  Barlow  and  Proschan  (1973). 

Marginal  Importance  of  Basic  Events. 

3h(£) 

Birnbaum  (1969)  proposed  — -  as  a  measure  of  the  importance  of  basic 

8pi 

event  i  .  This  measure  of  event  importance  is  useful  for  determining  design 
improvements  based  on  cost  considerations.  Letting  p^  ■  p7  “  ...  “  Pn  “  1/2  , 
be  called  this,  the  structural  (marginal)  Importance  of  basic  event  i  .  This 
can  also  be  described  in  terms  of  critical  path  sets. 

is  a  critical  path  aet  for  basic  event  i  if  it  is  a  path  set  containing 
i  such  that  each  of  its  min  path  sets  contains  i  .  Let  n(i)  be  the  number  of 
critical  path  Bets  for  i  .  Then  we  define  the  Birnbaum  importance  of  baeic 
event  i  by 

B(i)  -  2-(n-1)n(i)  , 

where  n  denotes  the  number  of  basic  events  in  the  event  tree. 

To  compute  n(l)  ,  assume  the  Y^'s  are  statistically  independent, 

EY^  ■  E(1  -  Y^)  ■  1/2  for  i  -  1,2,  ...,n,  and  use  the  formula 

n(i)  -  2n_1E[iHl1,Y)  -  ^(O^Y)) 

[Cf.  Barlow  and  Proschan  (1973).] 

Example.  The  Pressure  Tank. 


m 

8 

l  -  n  (l  -  y.) 

l  -  n  (l  -  y  ) 

L  i-i  1  _ 

il*6 ,7,8 

Use  0(Y) 


to  compute 
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E[*ajtY)  |  EY±  -  1/2,1  -  1,2 . n] 

and 

EtMO.j.I)  |  EY±  -  1/2,1  -  1,2 . n]  . 

For  basic  event  1  , 


n(l)  -  215  , 

... 

8 

i  -  n  (l  -  Y.) 

i  -  n  (l  -  y  )  ( 

i-1  1 

L  J 

i/1,6,7,8  / 

-  215[ (1/2) 7  +  (1/2) 12  -  (1/2) 15 ]  -  263  . 


It  is  not  hard  to  see  that 

n(l)  -  n(2)  -  n(3)  -  n(4)  -  n(5)  ■  263  . 

For  basic  event  6,  n(6)  ■  255. 

Also  n(6)  -  u(7)  -  n(8)  ■  255. 

For  basic  event  9,  n(9)  ■  7  .  It  is  not  hard  to  see  that 

n(9)  -  n(10)  -  n(ll)  -  n(12)  -  n(13)  -  n(14)  -  n(15)  -  n(16)  -  7  . 

The  Birnbaum  importance  ordering  of  events  is  therefore 

1~2~3~4~5>6~7~8>9~10~11~12~13~14~15~16, 

where  "1  ~  2"  means  1  and  2  are  equally  important  in  the  event  tree,  and 
"5  >  6"  means  5  is  more  important  than  6  in  the  event  tree.  Figure  10  pro¬ 
vides  a  key  to  the  original  example  of  Figure  6.  For  example,  we  see  that 
the  pressure  tank  itself  and  the  K2  relay  are  structurally  most  important. 
The  pressure  switch  is  next  most  important,  while  the  timer,  the  K1  relay, 
and  the  SI  switch  are  the  least  important  structurally. 
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Basic  Event  Prob. 

1  1  causes 

rupture 


Number  of  Critical  Paths,  n(l)  , 
Containing  Basic  Event  1 


Description  of 
Basic  Events 


(.000159) 

(.159500) 


(.159500) 


(.159500) 


(.159500) 

(.0761745) 


Pressure  tank  failure 

Secondary  failure  of 
pressure  tank  due  to 
Improper  selection 

Secondary  failure  of 
pressure  tank  to  out- 
of-tolerance  conditions 

K2  Relay  contacts  fall 
to  open 

K2  Relay  secondary  failure 

Pressure  switch  secondary 
failure 


(.0761745) 


(.0761745) 


(.016664) 

(.016664) 


(.016664) 


(.016664) 


(.016664) 

(.016664) 


(.016664) 


(.016664) 


Pressure  switch  contacts 
fall  to  open 

Excess  pressure  not 
sensed  by  pressure 
actuated  switch 

SI  switch  secondary  failure 

SI  switch  contacts  fail 
to  open 

External  reset  actuation 
force  remains  on  switch  SI 

K1  relay  contacts  fail  to 
open 

K1  relay  secondary  failure 

Timer  does  not  "time  off" 
due  to  improper  setting 

Timer  relay  contacts  fall 
to  open 

Timer  relay  secondary 
failure 


FIGURE  10:  KEY  TO  PRESSURE  TANK  EXAMPLE 


COMPUTER  PROCESSING  OF  FAULT  TREES 


In  this  section  we  give  a  brief  description  of  a  Fortran  program  called 
TREEL  which  has  been  developed  for  processing  fault  trees. 

The  handling  of  complex  systems  necessitates  various  error  checks  on  the 
input  data.  Fault  trees  are  represented  to  the  computer  by  describing  each 
gate  of  the  tree  with  one  card.  It  contains  an  alpha-numeric  name  of  the  gate, 
type  of  the  gate,  number  of  gate  inputs  and  basic  event  input  and  their  alpha¬ 
numeric  names.  The  program  'TREEL'  not  only  makes  error  checks  from  punching 
mistakes  to  circular  logic,  but  also  reindexes  the  gates  and  components.  The 
importance  of  this  indexing  is  tremendous  in  analyzing  the  fault  tree  in  an 
efficient  manner. 

For  a  system  with  2000  gates  and  2000  basic  events  we  would  index  the 
basic  events  from  1  to  2000  and  gates  by  integers  from  2001  to  4000.  Gates 
are  indexed  in  the  order  they  appear  in  the  tree  from  the  bottom,  i.e.  the 
lowest  level  gates  are  those  which  have  only  basic  events  as  inputs.  This 
indexing  scheme  assures  us  that  if  a  gate  gets  index  I  then  it  has  inputs 
whose  Indices  will  be  less  than  I. 

Apart  from  indexing  the  gate,  it  also  produces  the  Fortran  equivalent  of 
the  tree  logic.  Thus  we  can  evaluate  the  system  state  given  the  component 
states. 

We  also  obtain  bounds  on  the  number  of  min  cut  sets  and  max  size  of  the 
min  cut  sets  of  this  tree  as  well  as  the  dual  tree.  This  information  is  a 
valuable  aid  in  determining  which  tree  to  work  on. 

We  also  obtain  the  degree  of  replication  of  the  gates  and  basic  events  in 
the  tree.  The  number  of  times  a  gate  is  replicated  in  the  tree  is  a  helpful 
aid  in  reducing  storage  requirements  of  min  cut  set  algorithms  [Chatterjee  (1973)]. 

Subroutine  XREF  prints  out  the  cross-reference  table  of  the  tree  index  and 
the  alphanumeric  identification  names  of  the  gates  and  basic  events. 


.  ...  .  _ _ _ ,.,..n.*rr-..»r>?’*''~* 
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The  program  Is  written  in  FORTRAN  for  the  CDC  6400.  This  program  has 
lower  storage  requirements,  shorter  execution  time  and  more  flexibility 
(i.e.  is  not  just  restricted  to  'AND'  and  'OR'  gates)  than  the  comparable 
program  of  Veseley  and  Narum  [1970].  The  generalized  version  of  the  program 
takes  care  of  any  gate  for  which  the  logic  function  is  well  defined  and  can 
be  written  as  a  FUNCTION  routine. 


| 
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